Changes to the logrotate policy module and relevant dependencies

Ported from Fedora with changes Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
author: Dominick Grift <dominick.grift@gmail.com> 2012-10-10 14:14:19 +0200
committer: Sven Vermeulen <sven.vermeulen@siphos.be> 2012-10-10 21:47:43 +0200
commit: cc1683486de4e0322e5070e02ed3d85b2dc629f4 (patch)
tree: fe03a55b77059d7a77beb1f4fae096363b2aa783
parent: Tab clean up in logrotate file context file (diff)
download: hardened-refpolicy-cc1683486de4e0322e5070e02ed3d85b2dc629f4.tar.gz
hardened-refpolicy-cc1683486de4e0322e5070e02ed3d85b2dc629f4.tar.bz2
hardened-refpolicy-cc1683486de4e0322e5070e02ed3d85b2dc629f4.zip
11 files changed, 192 insertions, 70 deletions
diff --git a/policy/modules/contrib/awstats.if b/policy/modules/contrib/awstats.if
index 68313eda..68616dd9 100644
--- a/policy/modules/contrib/awstats.if
+++ b/policy/modules/contrib/awstats.if
@@ -2,6 +2,26 @@
 
 ########################################
 ## <summary>
+##	Execute the awstats program in
+##	the awstats domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`awstats_domtrans',`
+	gen_require(`
+		type awstats_t, awstats_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, awstats_exec_t, awstats_t)
+')
+
+########################################
+## <summary>
 ##	Read and write awstats unnamed pipes. (Deprecated)
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/contrib/awstats.te b/policy/modules/contrib/awstats.te
index 8e2ed97e..8e8432c3 100644
--- a/policy/modules/contrib/awstats.te
+++ b/policy/modules/contrib/awstats.te
@@ -1,4 +1,4 @@
-policy_module(awstats, 1.4.1)
+policy_module(awstats, 1.4.2)
 
 ########################################
 #
diff --git a/policy/modules/contrib/callweaver.if b/policy/modules/contrib/callweaver.if
index fcf96f90..16f1855f 100644
--- a/policy/modules/contrib/callweaver.if
+++ b/policy/modules/contrib/callweaver.if
@@ -2,6 +2,45 @@
 
 ########################################
 ## <summary>
+##	Execute callweaver in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`callweaver_exec',`
+	gen_require(`
+		type callweaver_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, callweaver_exec_t)
+')
+
+########################################
+## <summary>
+##	Connect to callweaver over a
+##	unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`callweaver_stream_connect',`
+	gen_require(`
+		type callweaver_t, callweaver_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, callweaver_var_run_t, callweaver_var_run_t, callweaver_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an callweaver environment.
 ## </summary>
diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te
index bfdbe388..528051e7 100644
--- a/policy/modules/contrib/callweaver.te
+++ b/policy/modules/contrib/callweaver.te
@@ -1,4 +1,4 @@
-policy_module(callweaver, 1.0.1)
+policy_module(callweaver, 1.0.2)
 
 ########################################
 #
diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
index 0bf3ca7a..32e8265c 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -138,6 +138,25 @@ interface(`chronyd_dgram_send',`
 	dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
 ')
 
+########################################
+## <summary>
+##	Read chronyd key files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_read_key_files',`
+	gen_require(`
+		type chronyd_keys_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
 ####################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 8582a53b..914ee2d2 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.1.3)
+policy_module(chronyd, 1.1.4)
 
 ########################################
 #
diff --git a/policy/modules/contrib/logrotate.fc b/policy/modules/contrib/logrotate.fc
index d5eac78b..a11d5be9 100644
--- a/policy/modules/contrib/logrotate.fc
+++ b/policy/modules/contrib/logrotate.fc
@@ -2,8 +2,5 @@
 
 /usr/sbin/logrotate	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 
-ifdef(`distro_debian',`
 /var/lib/logrotate(/.*)?	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
-',`
 /var/lib/logrotate\.status	--	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
-')
diff --git a/policy/modules/contrib/logrotate.if b/policy/modules/contrib/logrotate.if
index 9cd6b0b8..dd8e01af 100644
--- a/policy/modules/contrib/logrotate.if
+++ b/policy/modules/contrib/logrotate.if
@@ -1,4 +1,4 @@
-## <summary>Rotate and archive system logs</summary>
+## <summary>Rotates, compresses, removes and mails system log files.</summary>
 
 ########################################
 ## <summary>
@@ -21,8 +21,9 @@ interface(`logrotate_domtrans',`
 
 ########################################
 ## <summary>
-##	Execute logrotate in the logrotate domain, and
-##	allow the specified role the logrotate domain.
+##	Execute logrotate in the logrotate
+##	domain, and allow the specified
+##	role the logrotate domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -38,11 +39,11 @@ interface(`logrotate_domtrans',`
 #
 interface(`logrotate_run',`
 	gen_require(`
-		type logrotate_t;
+		attribute_role logrotate_roles;
 	')
 
 	logrotate_domtrans($1)
-	role $2 types logrotate_t;
+	roleattribute $2 logrotate_roles;
 ')
 
 ########################################
@@ -84,7 +85,8 @@ interface(`logrotate_use_fds',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to inherit logrotate file descriptors.
+##	Do not audit attempts to inherit
+##	logrotate file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -102,7 +104,7 @@ interface(`logrotate_dontaudit_use_fds',`
 
 ########################################
 ## <summary>
-##	Read a logrotate temporary files.
+##	Read logrotate temporary files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 7090dae7..1c941d3d 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,18 +1,20 @@
-policy_module(logrotate, 1.14.0)
+policy_module(logrotate, 1.14.1)
 
 ########################################
 #
 # Declarations
 #
 
+attribute_role logrotate_roles;
+roleattribute system_r logrotate_roles;
+
 type logrotate_t;
+type logrotate_exec_t;
 domain_type(logrotate_t)
 domain_obj_id_change_exemption(logrotate_t)
 domain_system_change_exemption(logrotate_t)
-role system_r types logrotate_t;
-
-type logrotate_exec_t;
 domain_entry_file(logrotate_t, logrotate_exec_t)
+role logrotate_roles types logrotate_t;
 
 type logrotate_lock_t;
 files_lock_file(logrotate_lock_t)
@@ -23,27 +25,21 @@ files_tmp_file(logrotate_tmp_t)
 type logrotate_var_lib_t;
 files_type(logrotate_var_lib_t)
 
+mta_base_mail_template(logrotate)
+role system_r types logrotate_mail_t;
+
 ########################################
 #
 # Local policy
 #
 
-# Change ownership on log files.
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
-# for mailx
-dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
-
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-
-# Set a context other than the default one for newly created files.
-allow logrotate_t self:process setfscreate;
-
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
 allow logrotate_t self:fd use;
+allow logrotate_t self:key manage_key_perms;
 allow logrotate_t self:fifo_file rw_fifo_file_perms;
-allow logrotate_t self:unix_dgram_socket create_socket_perms;
-allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
 allow logrotate_t self:unix_dgram_socket sendto;
-allow logrotate_t self:unix_stream_socket connectto;
+allow logrotate_t self:unix_stream_socket { accept connectto listen };
 allow logrotate_t self:shm create_shm_perms;
 allow logrotate_t self:sem create_sem_perms;
 allow logrotate_t self:msgq create_msgq_perms;
@@ -52,64 +48,61 @@ allow logrotate_t self:msg { send receive };
 allow logrotate_t logrotate_lock_t:file manage_file_perms;
 files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
 
-can_exec(logrotate_t, logrotate_tmp_t)
-
 manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
 manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
 files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
 
-# for /var/lib/logrotate.status and /var/lib/logcheck
 create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
 manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
+read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
 files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
 
+can_exec(logrotate_t, logrotate_tmp_t)
+
 kernel_read_system_state(logrotate_t)
 kernel_read_kernel_sysctls(logrotate_t)
 
-dev_read_urand(logrotate_t)
-
-fs_search_auto_mountpoints(logrotate_t)
-fs_getattr_xattr_fs(logrotate_t)
-fs_list_inotifyfs(logrotate_t)
-
-mls_file_read_all_levels(logrotate_t)
-mls_file_write_all_levels(logrotate_t)
-mls_file_upgrade(logrotate_t)
-
-selinux_get_fs_mount(logrotate_t)
-selinux_get_enforce_mode(logrotate_t)
-
-auth_manage_login_records(logrotate_t)
-auth_use_nsswitch(logrotate_t)
-
-# Run helper programs.
 corecmd_exec_bin(logrotate_t)
 corecmd_exec_shell(logrotate_t)
+corecmd_getattr_all_executables(logrotate_t)
+
+dev_read_urand(logrotate_t)
 
 domain_signal_all_domains(logrotate_t)
 domain_use_interactive_fds(logrotate_t)
 domain_getattr_all_entry_files(logrotate_t)
-# Read /proc/PID directories for all domains.
 domain_read_all_domains_state(logrotate_t)
 
 files_read_usr_files(logrotate_t)
-files_read_etc_files(logrotate_t)
 files_read_etc_runtime_files(logrotate_t)
 files_read_all_pids(logrotate_t)
 files_search_all(logrotate_t)
 files_read_var_lib_files(logrotate_t)
-# Write to /var/spool/slrnpull - should be moved into its own type.
 files_manage_generic_spool(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
 files_getattr_generic_locks(logrotate_t)
+files_dontaudit_list_mnt(logrotate_t)
+
+fs_search_auto_mountpoints(logrotate_t)
+fs_getattr_xattr_fs(logrotate_t)
+fs_list_inotifyfs(logrotate_t)
+
+mls_file_read_all_levels(logrotate_t)
+mls_file_write_all_levels(logrotate_t)
+mls_file_upgrade(logrotate_t)
+mls_process_write_to_clearance(logrotate_t)
+
+selinux_get_fs_mount(logrotate_t)
+selinux_get_enforce_mode(logrotate_t)
+
+auth_manage_login_records(logrotate_t)
+auth_use_nsswitch(logrotate_t)
 
-# cjp: why is this needed?
 init_domtrans_script(logrotate_t)
 
 logging_manage_all_logs(logrotate_t)
 logging_send_syslog_msg(logrotate_t)
 logging_send_audit_msgs(logrotate_t)
-# cjp: why is this needed?
 logging_exec_all_logs(logrotate_t)
 
 miscfiles_read_localization(logrotate_t)
@@ -120,21 +113,12 @@ userdom_use_user_terminals(logrotate_t)
 userdom_list_user_home_dirs(logrotate_t)
 userdom_use_unpriv_users_fds(logrotate_t)
 
-cron_system_entry(logrotate_t, logrotate_exec_t)
-cron_search_spool(logrotate_t)
-
-mta_send_mail(logrotate_t)
-
-ifdef(`distro_debian', `
-	allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
-	# for savelog
+ifdef(`distro_debian',`
+	allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
 	can_exec(logrotate_t, logrotate_exec_t)
 
-	# for syslogd-listfiles
-	logging_read_syslog_config(logrotate_t)
-
-	# for "test -x /sbin/syslogd"
 	logging_check_exec_syslog(logrotate_t)
+	logging_read_syslog_config(logrotate_t)
 ')
 
 optional_policy(`
@@ -158,14 +142,28 @@ optional_policy(`
 ')
 
 optional_policy(`
+	awstats_domtrans(logrotate_t)
+')
+
+optional_policy(`
 	bind_manage_cache(logrotate_t)
 ')
 
 optional_policy(`
+	callweaver_exec(logrotate_t)
+	callweaver_stream_connect(logrotate_t)
+')
+
+optional_policy(`
 	consoletype_exec(logrotate_t)
 ')
 
 optional_policy(`
+	cron_system_entry(logrotate_t, logrotate_exec_t)
+	cron_search_spool(logrotate_t)
+')
+
+optional_policy(`
 	cups_domtrans(logrotate_t)
 ')
 
@@ -178,6 +176,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	chronyd_read_key_files(logrotate_t)
+')
+
+optional_policy(`
 	icecast_signal(logrotate_t)
 ')
 
@@ -200,9 +202,12 @@ optional_policy(`
 ')
 
 optional_policy(`
-	psad_domtrans(logrotate_t)
+	polipo_log_filetrans_log(logrotate_t, file, "polipo")
 ')
 
+optional_policy(`
+	psad_domtrans(logrotate_t)
+')
 
 optional_policy(`
 	samba_exec_log(logrotate_t)
@@ -221,10 +226,20 @@ optional_policy(`
 ')
 
 optional_policy(`
-	#Red Hat bug 564565
 	su_exec(logrotate_t)
 ')
 
 optional_policy(`
 	varnishd_manage_log(logrotate_t)
 ')
+
+#######################################
+#
+# Mail local policy
+#
+
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
+
+logging_read_all_logs(logrotate_mail_t)
+
+mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
diff --git a/policy/modules/contrib/polipo.if b/policy/modules/contrib/polipo.if
index d20e1b1e..ae27bb7f 100644
--- a/policy/modules/contrib/polipo.if
+++ b/policy/modules/contrib/polipo.if
@@ -71,6 +71,36 @@ interface(`polipo_initrc_domtrans',`
 
 ########################################
 ## <summary>
+##	Create specified objects in generic
+##	log directories with the polipo
+##	log file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`polipo_log_filetrans_log',`
+	gen_require(`
+		type polipo_log_t;
+	')
+
+	logging_log_filetrans($1, polipo_log_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an polipo environment.
 ## </summary>
diff --git a/policy/modules/contrib/polipo.te b/policy/modules/contrib/polipo.te
index 2f6f8682..316d53a3 100644
--- a/policy/modules/contrib/polipo.te
+++ b/policy/modules/contrib/polipo.te
@@ -1,4 +1,4 @@
-policy_module(polipo, 1.0.3)
+policy_module(polipo, 1.0.4)
 
 ########################################
 #
author	Dominick Grift <dominick.grift@gmail.com>	2012-10-10 14:14:19 +0200
committer	Sven Vermeulen <sven.vermeulen@siphos.be>	2012-10-10 21:47:43 +0200
commit	cc1683486de4e0322e5070e02ed3d85b2dc629f4 (patch)
tree	fe03a55b77059d7a77beb1f4fae096363b2aa783
parent	Tab clean up in logrotate file context file (diff)
download	hardened-refpolicy-cc1683486de4e0322e5070e02ed3d85b2dc629f4.tar.gz hardened-refpolicy-cc1683486de4e0322e5070e02ed3d85b2dc629f4.tar.bz2 hardened-refpolicy-cc1683486de4e0322e5070e02ed3d85b2dc629f4.zip